minio/docs
1
0
Fork 0
mirror of https://github.com/minio/docs.git synced 2025-07-31 18:04:52 +03:00
Code Activity

Adds info about tag-based policies (#659)

Browse Source 
Policies can now include conditions for certain types of actions. If the
object has an existing tag, the user can complete the action. Otherwise,
the user cannot.

In the Access Management doc
- Adds a section near the top about tag based policies
- In the conditional section, adds `s3.ExistingObjectTag` as an allowed
conditional for several specific actions.

Closes #604

Adds warning about weak policy condition keys.

Closes #596
This commit is contained in:
Daryl White
2022-12-05 12:45:32 -06:00
committed by GitHub
parent 146cc8afa5
commit 443e2f2a7c
1 changed files with 39 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
source/administration/identity-access-management/policy-based-access-control.rst
View File

@ -13,21 +13,25 @@ Access Management
Overview Overview
-------- --------
MinIO uses Policy-Based Access Control (PBAC) to define the authorized actions MinIO uses Policy-Based Access Control (PBAC) to define the authorized actions and resources to which an authenticated user has access.
and resources to which an authenticated user has access. Each policy describes Each policy describes one or more :ref:`actions <minio-policy-actions>` and :ref:`conditions <minio-policy-conditions>` that outline the permissions of a :ref:`user <minio-users>` or :ref:`group <minio-groups>` of users.
one or more :ref:`actions <minio-policy-actions>` and :ref:`conditions
<minio-policy-conditions>` that outline the permissions of a
:ref:`user <minio-users>` or :ref:`group <minio-groups>` of
users.
MinIO PBAC is built for compatibility with AWS IAM policy syntax, structure, and MinIO PBAC is built for compatibility with AWS IAM policy syntax, structure, and behavior.
behavior. The MinIO documentation makes a best-effort to cover IAM-specific The MinIO documentation makes a best-effort to cover IAM-specific behavior and functionality.
behavior and functionality. Consider deferring to the :iam-docs:`IAM Consider deferring to the :iam-docs:`IAM documentation <>` for more complete documentation on AWS IAM-specific topics.
documentation <>` for more complete documentation on AWS IAM-specific topics.
The :mc:`mc admin policy` command supports creation and management of The :mc:`mc admin policy` command supports creation and management of policies on the MinIO deployment.
policies on the MinIO deployment. See the command reference for examples of See the command reference for examples of usage.
usage.
Tag-Based Policy Conditions
---------------------------
.. versionchanged:: RELEASE.2022-10-02T19-29-29Z
Policies can use conditions to limit a user's access only to objects with a specific tag.
MinIO supports :s3-docs:`tag-based conditionals <tagging-and-policies.html>` for policies for :ref:`selected actions <minio-selected-conditional-actions>`.
Use the ``s3:ExistingObjectTag/<key>`` in the ``Condition`` statement of the policy.
.. _minio-policy-built-in: .. _minio-policy-built-in:
@ -263,6 +267,10 @@ subsections document actions for more advanced S3 operations:
Controls access to the :s3-api:`GetObjectTagging <API_GetObjectTagging.html>` Controls access to the :s3-api:`GetObjectTagging <API_GetObjectTagging.html>`
S3 API operation. S3 API operation.
.. policy-action:: s3:DeleteObjectTagging
Controls access to the :s3-api:`DeleteObjectTagging <API_DeleteObjectTagging.html>` S3 API operation.
Bucket Configuration Bucket Configuration
~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~
@ -517,6 +525,15 @@ MinIO supports the following condition keys for all supported
- ``aws:username`` - ``aws:username``
- ``x-amz-content-sha256`` - ``x-amz-content-sha256``
.. warning::
The ``aws:Referer``, ``aws:SourceIp``, and ``aws.UserAgent`` keys may be easily spoofed and therefore pose a potential security risk.
MinIO recommends only using these condition keys to *deny* access as a secondary security measure.
**Never** use these three keys to grant access by themselves.
.. _minio-selected-conditional-actions:
The following table lists additional supported condition keys for specific The following table lists additional supported condition keys for specific
actions: actions:
@ -531,6 +548,7 @@ actions:
* - :policy-action:`s3:GetObject` * - :policy-action:`s3:GetObject`
- | ``x-amz-server-side-encryption`` - | ``x-amz-server-side-encryption``
| ``x-amz-server-side-encryption-customer-algorithm`` | ``x-amz-server-side-encryption-customer-algorithm``
| ``s3:ExistingObjectTag/<key>``
* - :policy-action:`s3:ListBucket` * - :policy-action:`s3:ListBucket`
- | ``prefix`` - | ``prefix``
@ -546,6 +564,7 @@ actions:
| ``object-lock-retain-until-date`` | ``object-lock-retain-until-date``
| ``object-lock-mode`` | ``object-lock-mode``
| ``object-lock-legal-hold`` | ``object-lock-legal-hold``
| ``s3:ExistingObjectTag/<key>``
* - :policy-action:`s3:PutObjectRetention` * - :policy-action:`s3:PutObjectRetention`
- | ``x-amz-object-lock-remaining-retention-days`` - | ``x-amz-object-lock-remaining-retention-days``
@ -564,10 +583,16 @@ actions:
* - :policy-action:`s3:GetObjectVersion` * - :policy-action:`s3:GetObjectVersion`
- ``versionid`` - ``versionid``
* - :policy-action:`s3:DeleteObjectVersion` * - :policy-action:`s3:DeleteObjectVersion`
- ``versionid`` - ``versionid``
* - :policy-action:`s3:PutObjectTagging`
- ``s3:ExistingObjectTag/<key>``
* - :policy-action:`s3:DeleteObjectTagging`
- ``s3:ExistingObjectTag/<key>``
.. _minio-policy-mc-admin-actions: .. _minio-policy-mc-admin-actions:
``mc admin`` Policy Action Keys ``mc admin`` Policy Action Keys